IPAllowList Rejecting IP : empty IP address if excludedIPs

Hello,

I hope somebody can help me...

I don’t unerstand why ipAllowList middleware block me when I'm from tailscale & android1

dynamic.yaml

http:
  middlewares:
    allow-local-only:
      IPAllowList:
        sourceRange:
          - 192.168.1.0/24
          - 100.64.0.0/10 # Tailscale
        ipStrategy:
          excludedIPs:
            - 192.168.1.40 # ignorer l'autre reverse proxy pour le AllowList

docker compose

services:
  whoami2:
    image: traefik/whoami

    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      # Definition of the router
      - "traefik.http.routers.router-traefik-whoami.rule=Host(`whoami.home.demo.com`)"
      - "traefik.http.routers.router-traefik-whoami.entrypoints=websecure"
      - "traefik.http.routers.router-traefik-whoami.middlewares=crowdsec@file,allow-local-only@file"
      # Definition of the service
      - "traefik.http.services.service-traefik-whoami.loadbalancer.server.port=80"

log:

DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/16 21:43:33 ServeHTTP ip:192.168.1.11 isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/16 21:43:33 cache:Get key:192.168.1.11
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/16 21:43:33 ServeHTTP:Get ip:192.168.1.11 isBanned:false cache:miss
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/16 21:43:34 cache:Set key:192.168.1.11 value:f duration:60s
2025-09-16T21:43:34+02:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/ipwhitelist/ip_whitelist.go:68 > Rejecting IP : empty IP address middlewareName=allow-local-only@file middlewareType=IPWhiteLister

if i remove the excludedIPs 192.168.1.40, then it works with this whoami, but I need it.

Hostname: f31ad3fda191
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.6
RemoteAddr: 172.18.0.4:48570
GET / HTTP/1.1
Host: whoami.home.demo.com
User-Agent: Mozilla/5.0 (Android 15; Mobile; rv:142.0) Gecko/142.0 Firefox/142.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: fr-FR
Priority: u=0, i
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.1.11
X-Forwarded-Host: whoami.brdapps.ovh
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 884fcae3f3bc
X-Real-Ip: 192.168.1.11

Here is my network:

• adguard machine is an exit node of my tailscale network
• I use tailscale splitDNS to redirect *.home.demo.com to traefik-docker

2025-09-16_22h09_36544×919 28.4 KB

Thanks to anybody that could help

Seems to be the same as this issue : https://github.com/traefik/traefik/issues/10561

the workaround is to add another router without the ipAllowList if ther is no X-Forwarded-For Header:

services:
  whoami2:
    image: traefik/whoami

    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      # Definition of the router
      - "traefik.http.routers.router-traefik-whoami.rule=Host(`whoami.home.demo.com`)"
      - "traefik.http.routers.router-traefik-whoami.entrypoints=websecure"
      - "traefik.http.routers.router-traefik-whoami.middlewares=crowdsec@file,allow-local-only@file"
      # Definition of another router for local
      - "traefik.http.routers.router-traefik-whoami-local.rule=Host(`whoami.home.demo.com`) && !HeaderRegexp(`X-Forwarded-For`, `^.*$`)"
      - "traefik.http.routers.router-traefik-whoami-local.entrypoints=websecure"
      - "traefik.http.routers.router-traefik-whoami-local.middlewares=crowdsec@file"
      # Definition of the service
      - "traefik.http.services.service-traefik-whoami.loadbalancer.server.port=80"

In my opinion, traefik should handle this case, and I there is nothing in X-Forwarded-For, it should check the remote adresse, like if there is no "excludedIPs"

If you think this is a bug or should be a feature, you can tell the devs at Traefik Github.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.